New HSBC and Barclays bank XSS and open redirect bugs

Friday, 29 May 2009

*UPDATED 03/06/2009* - A fresh batch of critical cross-site scripting and open redirect vulnerabilities was added today to the archive. The following independent security researchers are credited with the discovery: PaPPy, Airrox, Xylitol, WwW.TRLink.NET, TurkPoweR, Skyr3x, Pierre Gardenat,  Agd_Scorp, Mystick and Hexspirit.

Malicious people can exploit these bugs to conduct phishing attacks and infect bank customers and site visitors with crimeware.

HSBC:

client.hsbcprivatebank.fr XSS *
www.broking.hsbc.com.hk XSS *
www.broking.hsbc.com.hk XSS *
sb.hsbc.fr XSS *
www.broking.hsbc.com.hk XSS *
www.broking.hsbc.com.hk Open frame redirect *
services.assetmanagement.hsbc.fr XSS *
www.us.hsbc.com XSS
www.us.hsbc.com Open redirect
www.banking.us.hsbc.com XSS
insurance.hsbc.ca XSS
www.hsbc-reim.fr XSS
banque.hsbc.fr XSS
www.banking.us.hsbc.com XSS
sb.hsbc.fr XSS
www.banking.hsbc.co.in XSS

BARCLAYS:

group.barclays.com XSS *
www.barclays.com.au XSS *
bcol.barclaycard.co.uk XSS *
www.stockbrokers.barclays.co.uk XSS
www.barclays.com.au XSS
search.barclays.com Open redirect

HSBC and Barclays bank have been XSSed in the past.

We hope that they resolve these issues as soon as possible.

Related News:
-HSBC web sites are open to critical XSS attacks. Warning to customers! - 21 June 2008
-Two critical XSS bugs on Barclays bank website - 3 May 2009
-Barclays XSS vulnerability comes handy for scammers and blackhat hackers - 11 May 2008
-Plague of web bugs descend on British sites - The Register - Dan Goodin - 1 Jun 2009
-HSBC, Barclays and The Telegraph sites were found vulnerable to cyber fraud - Ecommerce Journal - Petrony - 2 Jun 2009